Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Please unblock package matrix-synapse. This upload backports two security updates from 0.99.3. unblock matrix-synapse/0.99.2-5 - -- Cheers, Andrej -----BEGIN PGP SIGNATURE----- iQJTBAEBCAA9FiEE47V74F4CWMP6ghzXtke0/0DsYwMFAlzRoQ8fHGFuZHJldy5z aGFkdXJhQGNvbGxhYm9yYS5jby51awAKCRC2R7T/QOxjAyrQEACo2di2PSfR7NbF evPJxSV1iD83rZZf19ACH39XYR/rSAGOM2ypeEy6jpDSv4sRwYkB7ag85ns9OoTp 41F29yXL8ZdPVvlM7ThPvVZj3Fi9fp1zu8VfVxqZR0nglvA/6X+oiaNz5Xb3Sd8m kh6Gld68k+6r4JDgR5IU7tuWabfMOU+lKPa6jMRQU25T6TCyc0qkNJiMgGTYba33 b9PWmTrhFL7+5Xt+u9YaaAPtC7zDU/8CkuPMEiZcsvdCwK7P2bcpc/il+TfM2f8n s4OpFGT/dZC5TBW9rQnvXIinei9l33lf3yG2MWsibEIxwaJ8yySSb8jjr29tXNK6 wJqa+itgJLLI7IcYaFe/ndKBqhNN7XnP6QyWdFAsUdC9Ha4AbLRWvA9VEPFMT0tY 1xeeGn2UmNcoOFlwZ7Kr24yhk1xjK8twbOcubeyIXD7HkQ5FTbTkYSL0DP3vZl14 ZsnaYbElRsplpCSnpAqclAYEkpfL3CM4rrdALgk/3mxEgNcKUAzu6BwPVNfYcmsz irUfTHgbJJug7HgGf8R8Q6qa0JcL8DyqUvtOZodQo//0BuI2dEuzc898WiaxyjVr rUWzT7UmyB51ijDRPKc36hGIZwCXdnLmX2HCF9O2i3fGnXGkV/PkMIu4F7bN/3tW lv0lsvm4A9rYJ7HuTscz1hKfOvNSig== =23ET -----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog index 0dfdb8d..a786521 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +matrix-synapse (0.99.2-5) unstable; urgency=high + + * Security updates backported from 0.99.3: + - Use SystemRandom for token generation + - Blacklist 0.0.0.0 and :: by default for URL previews + + -- Andrej Shadura <andre...@debian.org> Fri, 03 May 2019 22:26:41 +0200 + matrix-synapse (0.99.2-4) unstable; urgency=medium [ Antoine Beaupré ] diff --git a/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch b/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch new file mode 100644 index 0000000..21853e9 --- /dev/null +++ b/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch @@ -0,0 +1,85 @@ +From 1a7104fde3abc5392b90ca084efa896d46e24f91 Mon Sep 17 00:00:00 2001 +From: Richard van der Hoff <rich...@matrix.org> +Date: Fri, 3 May 2019 13:46:50 +0100 +Subject: [PATCH] Blacklist 0.0.0.0 and :: by default for URL previews + +--- + changelog.d/5134.bugfix | 1 + + docs/sample_config.yaml | 14 +++++++++----- + synapse/config/repository.py | 28 ++++++++++++++++++---------- + 3 files changed, 28 insertions(+), 15 deletions(-) + create mode 100644 changelog.d/5134.bugfix + +diff --git a/changelog.d/5134.bugfix b/changelog.d/5134.bugfix +new file mode 100644 +index 0000000000..684d48c53a +--- /dev/null ++++ b/changelog.d/5134.bugfix +@@ -0,0 +1 @@ ++Blacklist 0.0.0.0 and :: by default for URL previews. Thanks to @opnsec for identifying and responsibly disclosing this issue too! +diff --git a/synapse/config/repository.py b/synapse/config/repository.py +index 3f34ad9b2a..d155d69d8a 100644 +--- a/synapse/config/repository.py ++++ b/synapse/config/repository.py +@@ -154,17 +154,21 @@ def read_config(self, config): + except ImportError: + raise ConfigError(MISSING_NETADDR) + +- if "url_preview_ip_range_blacklist" in config: +- self.url_preview_ip_range_blacklist = IPSet( +- config["url_preview_ip_range_blacklist"] +- ) +- else: ++ if "url_preview_ip_range_blacklist" not in config: + raise ConfigError( + "For security, you must specify an explicit target IP address " + "blacklist in url_preview_ip_range_blacklist for url previewing " + "to work" + ) + ++ self.url_preview_ip_range_blacklist = IPSet( ++ config["url_preview_ip_range_blacklist"] ++ ) ++ ++ # we always blacklist '0.0.0.0' and '::', which are supposed to be ++ # unroutable addresses. ++ self.url_preview_ip_range_blacklist.update(['0.0.0.0', '::']) ++ + self.url_preview_ip_range_whitelist = IPSet( + config.get("url_preview_ip_range_whitelist", ()) + ) +@@ -235,11 +239,11 @@ def default_config(self, data_dir_path, **kwargs): + height: 600 + method: scale + +- # Is the preview URL API enabled? If enabled, you *must* specify +- # an explicit url_preview_ip_range_blacklist of IPs that the spider is +- # denied from accessing. ++ # Is the preview URL API enabled? ++ # 'False' by default: uncomment the following to enable it (and specify a ++ # url_preview_ip_range_blacklist blacklist). + # +- url_preview_enabled: False ++ #url_preview_enabled: True + + # List of IP address CIDR ranges that the URL preview spider is denied + # from accessing. There are no defaults: you must explicitly +@@ -249,6 +253,9 @@ def default_config(self, data_dir_path, **kwargs): + # synapse to issue arbitrary GET requests to your internal services, + # causing serious security issues. + # ++ # This must be specified if url_preview_enabled. It is recommended that you ++ # uncomment the following list as a starting point. ++ # + #url_preview_ip_range_blacklist: + # - '127.0.0.0/8' + # - '10.0.0.0/8' +@@ -259,7 +266,7 @@ def default_config(self, data_dir_path, **kwargs): + # - '::1/128' + # - 'fe80::/64' + # - 'fc00::/7' +- # ++ + # List of IP address CIDR ranges that the URL preview spider is allowed + # to access even if they are specified in url_preview_ip_range_blacklist. + # This is useful for specifying exceptions to wide-ranging blacklisted diff --git a/debian/patches/series b/debian/patches/series index dbc914f..b216485 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,5 @@ 0006-Avoid-pip-install.patch fix-deps.patch config-add-signing_key_path.patch +blacklist-localhost-by-default-for-URL-previews.patch +use-SystemRandom-for-token-generation.patch diff --git a/debian/patches/use-SystemRandom-for-token-generation.patch b/debian/patches/use-SystemRandom-for-token-generation.patch new file mode 100644 index 0000000..cfe8f8d --- /dev/null +++ b/debian/patches/use-SystemRandom-for-token-generation.patch @@ -0,0 +1,44 @@ +From 247dc1bd0bd9ee2b9525495c0dbd819baf10ec1f Mon Sep 17 00:00:00 2001 +From: Richard van der Hoff <rich...@matrix.org> +Date: Fri, 3 May 2019 12:38:03 +0100 +Subject: [PATCH] Use SystemRandom for token generation + +--- + changelog.d/5133.bugfix | 1 + + synapse/util/stringutils.py | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + create mode 100644 changelog.d/5133.bugfix + +diff --git a/changelog.d/5133.bugfix b/changelog.d/5133.bugfix +new file mode 100644 +index 0000000000..12a32a906b +--- /dev/null ++++ b/changelog.d/5133.bugfix +@@ -0,0 +1 @@ ++Switch to using a cryptographically-secure random number generator for token strings, ensuring they cannot be predicted by an attacker. Thanks to @opnsec for for identifying and responsibly disclosing this issue! +diff --git a/synapse/util/stringutils.py b/synapse/util/stringutils.py +index fdcb375f95..69dffd8244 100644 +--- a/synapse/util/stringutils.py ++++ b/synapse/util/stringutils.py +@@ -24,14 +24,19 @@ + string.digits + string.ascii_letters + ".,;:^&*-_+=#~@" + ) + ++# random_string and random_string_with_symbols are used for a range of things, ++# some cryptographically important, some less so. We use SystemRandom to make sure ++# we get cryptographically-secure randoms. ++rand = random.SystemRandom() ++ + + def random_string(length): +- return ''.join(random.choice(string.ascii_letters) for _ in range(length)) ++ return ''.join(rand.choice(string.ascii_letters) for _ in range(length)) + + + def random_string_with_symbols(length): + return ''.join( +- random.choice(_string_with_symbols) for _ in range(length) ++ rand.choice(_string_with_symbols) for _ in range(length) + ) + +